A business model based on people making bad security trade-offs

2009-09-02

From time to time I am exposed to a new service, sometimes security-related, that promises something new. More often than not, the new security service is novel, but only because either no one really needs it, or because it does not form a good balance between security and other needs. The cases of the latter category are far more interesting.

In a mailing list discussion a few days ago, I learned of a new service for secure document storage. The name of the company is not important; I am not trying to harm anyone's business, just to teach my audience.

This service is about a secure document locker. You set up an account with that company, you pay some yearly amount, and you get to have them keep all your sensitive (electronic) documents for you: bank statements, passport copies, passwords, contracts, and what not. Obviously, this service keeps the documents for you and only gives them back to you, or to anyone you authorize. As a neat feature, it allows people to send in documents without seeing the documents that are already in.

But if the documents are so sensitive and confidential, then why would anyone trust an external service provider to protect them? Simply encrypting these documents locally and storing encrypted copies on a CD or FTP server for backup seems to be both cheaper and more secure at the same time; it is not less convenient either. This company simply bases its business model on people making the wrong security trade-off decisions. It expects customers to trust it where they have no real reason to, and where these customers get essentially nothing extra in return for their trust (other than a security compromise.)

Trusting a service provider is not necessarily bad. There are many companies that you trust regularly; banks, for example. However, the bank is a respectable century-old brand that you already trust with your real money. It is among the most heavily regulated of all your service providers. And, you trust it with your money primarily because you have no other practical choice — the service it provides is essential and is hard to obtain otherwise (that is, without any bank). You get something for your trust which you cannot practically get otherwise.

To protect your documents in case your house burns, you can encrypt them and send a copy of the encrypted files to your own mailbox. You get the same benefits without having to trust anyone and without paying (as much). The ability to let people add documents is also solved intuitively by using e-mail; no need to trust a third party for this use-case either.

Trust is a compromise, by definition; a cost. You trust when you get something in return which you cannot get as easily without giving away your trust. Logical people cannot be expected to trust a third party where the same features can be as easily obtained otherwise.